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Abstract 

Consistency check has been the only criterion for theory evaluation 
in logic-based approaches to reasoning about actions. This work goes 
beyond that and contributes to the metatheory of actions by investi- 
gating what other properties a good domain description in reasoning 
about actions should have. We state some metatheoretical postulates 
concerning this sore spot. When all postulates are satisfied together 
we have a modular action theory. Besides being easier to understand 
and more elaboration tolerant in McCarthy's sense, modular theories 
have interesting properties. We point out the problems that arise 
when the postulates about modularity are violated and propose al- 
gorithmic checks that can help the designer of an action theory to 
overcome them. 
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1 Introduction 



In logic-based approaches to knowledge representation, a given domain is 
described by a set of logical formulas T, which we call a (non- logical) theory. 
That is also the case for reasoning about actions, where we are interested in 
theories describing particular actions. We call such theories action theories. 

A priori satisfiability is the only criterion that formal logic provides to 
check the quality of such descriptions. In this work we go beyond that, and 
argue that we should require more than the mere existence of a model for a 
given theory. 

Our starting point is that in reasoning about actions one usually distin- 
guishes several kinds of logical formulas. Among these are effect axioms, 
precondition axioms, and domain constraints. In order to distinguish such 
non-logical axioms from logical axioms, we prefer to speak of effect laws, ex- 
ecutability laws, and static laws, respectively. Moreover we single out those 
effect laws whose effect is _L, and call them inexecutability laws. 

Given these types of laws, suppose the language is powerful enough to 
state that action a is inexecutable in contexts where ifi holds, and executable 
in contexts where ip2 holds. It follows that there can be no context where 
ipi A ip2 holds. Now -i(v?i A (P2) is a static law that does not mention a. It 
is natural to expect that -'{(fi A (^2) follows from the static laws alone. By 
means of examples we show that when this is not the case, then unexpected 
conclusions might follow from the theory T, even in the case T is consistent. 

This motivates postulates requiring that the different laws of an action 
theory should be arranged modularly, i.e., in separated components, and in 
such a way that interactions between them are limited and controlled. In 
essence, we argue that static laws may influence the laws for actions, but 
the dynamic part of a theory should not influence the non-dynamic one. It 
will turn out that in all existing accounts allowing for these four kinds of 
laws [21 EH im El EZI , consistent action theories can be written that violate 
this requirement. We here give algorithms that allow one to check whether 
an action theory satisfies the postulates we state. With such algorithms, the 
task of correcting flawed action theories can be made easier. 

Although we here use the syntax of propositional dynamic logic (PDL) [T5] . 
all we shall say applies as well to first-order formalisms, in particular to the 
Situation Calculus [SE] • All postulates we are going to present can be stated 
as well for other frameworks, in particular for action languages such as A, 
ATZ [ini 1211 1121 others, and for Situation Calculus based approaches. 
In PHI we have given a Situation Calculus version of our analysis. 

This work is organized as follows: after some background definitions (Sec- 
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tion|21) we state (Section El) some postulates concerning action descriptions. 
In SectionsElandEl we study the two most important of these postulates, giv- 
ing algorithmic methods to check whether an action theory satisfies them or 
not. We then generalize (SectionlHI) and discuss (SectionlZj) possible strength- 
enings of our set of postulates, and show interesting results that their sat- 
isfaction gives us (Sectioning. Finally, before concluding, we assess related 
work found in the literature on metatheory of actions (Section IH)). 

2 Preliminaries 
2.1 Dynamic logic 

Here we establish the ontology of dynamic domains. As our base formalism 
we use PDL. For more details, see [TKt ITH]. 

Let 2lct = {fli, 02, . . .} be the set of all atomic action constants of a given 
domain. Examples of atomic actions are load and shoot. We use a as a vari- 
able standing for a particular atomic action. To each atomic action a there 
is an associated modal operator [a]. Here we suppose that the underlying 
multimodal logic is independently axiomatized (i.e., the logic is a fusion and 
there is no interaction between the modal operators I2(ij). 

*Prop = {Pi,P2,---} denotes the set of all propositional constants, also 
called fluents or atoms. Examples of those are loaded and alive. We use p as 
an atom variable. 

We suppose both 2tct and ^rop are finite. 

We use small Greek letters (p,ip, . . . to denote classical formulas. They 
are recursively defined in the following way: 

(p ::= p I T I ± I -up \ ipAip\ip\/ip\ip-^ip\ip<-^ip 

^xnl is the set of all classical formulas. 

Examples of classical formulas are walking —>■ alive and -i{bachelor A 
married). 

A classical formula is classically consistent if there is at least one valua- 
tion in the classical propositional logic that makes it true. Given (p G 5^m[, 
val{(p) denotes the set of all valuations of (p. We identify |= with the logical 
consequence in Classical Propositional Logic |=^pL- 

The set of all literals is £it = ^rop U {^p : p e ^xop}. Examples of 
literals are alive and -^walking. I will be used as a literal variable. If / = 
then we identify with p. 

A clause x is a disjunction of literals. We say that a literal / appears in a 
clause written / G if ^ is a disjunct of x- 



4 



We denote complex formulas (with modal operators) by capital Greek 
letters $i,$2, ■ ■ ■ They are recursively defined in the following way: 

<P ::= </3 I [a]<P \ (a)^ \ ^(!> \ <P A<P \ <P\/ <P \ <P ^ <P \ <P ^ <P 

where ^ denotes a complex formula, (a) is the dual operator of [a], de- 
fined as {a)$ =Def ~i[a]~i<?. Sequential composition of actions is defined by 
the abbreviation [ai, 02]^ =Def [fli][fl2]^- Examples of complex formulas are 
loaded^ [shoot]-i alive and [load\loaded. 

For parsimony's sake, whenever there is no confusion we identify a set of 
formulas with the conjunction of the formulas it is made of. The semantics 
we take into account here is that for multimodal K |89| |2] . 

Definition 2.1 A PDL-model is a triple ^ = {W, R, V) where is a 
nonempty set of possible worlds (ahas possible states), R: 2tct — > 2^^^ 
maps action constants a to accessibility relations Ra ^ W x W, and V: 
^rop — > 2 ^ maps propositional constants to subsets of W. 

Definition 2.2 Given a PDL-model ^ = {W,R,V), the satisfaction rela- 
tion is defined as the smallest relation satisfying: 

• 1=^ P (P is true at world w of model ^) if w G V{p); 

• \^ [d^ if for every w' such that wRaw' ^: 

• the usual truth conditions for the other connectives. 

Definition 2.3 A PDL-model M is a model of ^ (noted \^ <P) if and only 
if for all w G VF, ^. ^ is a model of a set of formulas T (noted \^ T) 
if and only if ^ for every ^ G T. 

Definition 2.4 A formula ^ is a consequence of the set of global axioms 
{<Pi, . . .,<Pn} in the class of all PDL-models (noted {^1, . . 1==,^^ ^) if 

and only if for every PDL-model if for every ^j, then |=^ ^.^ 

Having established the formal substratum our presentation will rely on, 
we present in the next section the different types of formulas we use to 
describe dynamic domains. 

"'^In |3| local consequence is considered. For that reason a further modal operator □ 
had to be introduced, resulting in a logic which is multimodal K plus monomodal S4 for 
□ , and where axiom schema 0<P — > [a]<P holds. 
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2.2 Describing action theories in PDL 

Before elaborating a theory, we need to specify what we are about to describe, 
i.e., what the formulas we state talk about. Following the tradition in the 
literature, we identify a domain (alias scenario) with the actions we take into 
account and the fluents they can change. More formally, we have: 

Definition 2.5 A domain is a tuple (2lct, ^rop). 

An example of a domain is the well-known Yale Shooting Scenario [T^ . 
whose actions are load, wait and shoot, and whose fluents are loaded and 
alive. 

Given a domain, we are interested in theories whose statements describe 
the behavior of actions on the considered fluents. PDL allows for the repre- 
sentation of such statements, that we here call action laws. We distinguish 
several types of them. We call effect laws formulas relating an action to its 
effects. Statements of conditions under which an action cannot be executed 
are called inexecutability laws. Executahility laws in turn stipulate the con- 
text where an action is guaranteed to be executable. Finally, static laws are 
formulas that do not mention actions. They express constraints that must 
hold in every possible state. These four types of laws are our fundamental 
entities and we introduce them more formally in the sequel. 

2.2.1 Static laws 

Frameworks which allow for indirect effects of actions make use of logical 
formulas that state invariant propositions about the world. Such formulas 
delimit the set of possible states. They do not refer to actions, and we 
suppose here that they are expressed as formulas of classical propositional 
logic. 

Definition 2.6 A static lau? is a formula (p G 5^m[ that is classically consis- 
tent. 

An example of a static law is walking alive, saying that if a turkey is 
walking, then it must be alive Another one is saved ^ {mboxl V mhoi2), 
which states that an e-mail message is saved if and only if it is in mailbox 1 
or in mailbox 2 or both |3]. 

^Static laws are often called domain constraints or integrity constraints. Because the 
different laws for actions that we shall introduce in the sequel could in principle also be 
called like that, we avoid these terms. 
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In action languages such as A and ATZ we would write the statement 
alive if walking, and in the Situation Calculus it would be the first-order 
formula 

\/s{Holds{walking, s) — > Holds{alive, s)). 

The set of all static laws of a given domain is denoted by 5. At first 
glance, no requirement concerning consistency of S is made. Of course, we 
want S to be consistent, otherwise the whole theory is inconsistent. As we 
are going to see in the sequel, however, consistency of S alone is not enough 
to guarantee the consistency of a theory. 

2.2.2 Effect laws 

Logical frameworks for reasoning about actions contain expressions linking 
actions and their effects. We suppose that such effects might be conditional, 
and thus get a third component of such laws. 

In PDL, the formula [a]ip expresses that ip is true after every possible 
execution of a. 

Definition 2.7 An ejfect lavfi for action a is of the form (/? where 
(fi,ip & S^nxl, with ip and ip both classically consistent. 

The consequent ip is the effect which obtains when action a is executed 
in a state where the antecedent (p holds. An example of an effect law is 

loaded [shoot]-i alive, saying that whenever the gun is loaded, after shooting 
the turkey is dead. Another one is T [tease]walking: in every circumstance, 
the result of teasing is that the turkey starts walking. For parsimony's sake, 
the latter effect law will be written [tease] walking. 

Note that the consistency requirements for </? and ip make sense: if (f is 
inconsistent then the effect law is superfluous; if ip is inconsistent then we 
have an inexecutability law, that we consider as a separate entity and which 
we arc about to introduce formally in the sequel. 

For the first example above, in action languages one would write the 
statement 

shoot causes ->alive if loaded, 

and in the Situation Calculus formalism one would write the first-order for- 
mula 

\/s{Holds{loaded, s) — > ->Holds{alive, do{shoot, s))). 

^Effect laws are often called action laws, but we prefer not to use that term here because 
it would also apply to executability laws that are to be introduced in the sequel. 
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2.2.3 Inexecutability laws 



We consider effect laws whose consequent ifj is inconsistent as a particular 
kind of law which we call inexecutability laws. (Such laws are sometimes 
called qualifications [35 .) This allows us to avoid mixing things that are 
conceptually different: for an action a, an effect law mainly associates it 
with a consequent ip, while an inexecutability law only associates it with an 
antecedent (f, viz. the context which precludes the execution of a. 

Definition 2.8 An inexecutability law for action a is of the form (f — > [a]-L, 
where ip G 'Sxnl is classically consistent. 

For example -ihasGun [shoot]!, expresses that shoot cannot be exe- 
cuted if the agent has no gun. Another example is dead [iease]_L: a dead 
turkey cannot be teased. 

In ATZ we would write the statement impossible shoot if -ihasGun, and in 
the Situation Calculus our example would be 



2.2.4 Executability laws 

With only static and effect laws one cannot guarantee that the action shoot 
can be executed whenever the agent has a gun. We need thus a way to state 
the conditions under which an action is guaranteed to be executable. 

In dynamic logic the dual {a)ip, defined as -i[a]-iv9, can be used to express 
executability. (a)T thus reads "the execution of action a is possible". 

Definition 2.9 An executability law^ for action a is of the form Lp — > (a)T, 
where G ^vcd is classically consistent. 

For instance hasGun {shoot)T says that shooting can be executed 
whenever the agent has a gun, and T — > (tease) T, also written ( tease) T, 
establishes that the turkey can always be teased. 

In action languages such laws are not represented. In Situation Calculus 
our example would be stated as 



^Some approaches (most prominently Reiter's) use biconditionals ip ^ ('j)T, called 
precondition axioms. This is equivalent to -tip <-> [a]^, highlighting that they merge 
information about inexecutability with information about executability. In this work we 
consider these entities different and keep them separated. 



^s{-iHolds{hasGun, s 



) — ^ -^Poss{shoot, s)). 



\/s{Holds{hasGun, s 



) Poss{shoot, s)). 
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Whereas all the extant approaches in the literature that allow for indirect 
effects of actions contain static and effect laws, and provide a way for repre- 
senting inexecutabilities (in the form of implicit qualifications [T H l3T | IHj). 
the status of executability laws is less consensual. Some authors [IHlIZllSlllllI 
more or less tacitly consider that executability laws should not be made ex- 
plicit but rather inferred by the reasoning mechanism. Others PH ITTj have 
executability laws as first class objects one can reason about. 

It seems a matter of debate whether one can always do without exe- 
cutabilities. In principle it seems to be strange to just state information 
about necessary conditions for action execution (inexecutabilities) without 
saying anything about its sufficient conditions. This is the reason why we 
think that we need executability laws. Indeed, in several domains one wants 
to explicitly state under which conditions a given action is guaranteed to be 
executable, e.g. that a robot never gets stuck and is always able to execute 
a move action. And if we have a plan such as load; shoot {load followed by 
shoot) of which we know that it achieves the goal -> alive, then we would like 
to be sure that it is executable in the first place!^ In any case, allowing for 
executability laws gives us more flexibility and expressive power. 



2.2.5 Action theories 

Given a domain (2lct, ^rop), for an action a G 2lct, we define S"" as the set 
of its effect laws, X°- the set of its executability laws, and I"' that of its 
inexecut ability laws. 

Definition 2.10 An action theory for a is a tuple = {S,£"', X"-,!"-). 
In our running scenario example, a theory for the action shoot would be 
S = {walking—^ alive}, S'^^°°*' = {loaded^ [shoof\^ alive}, 
p^shoot ^ ^f^asGun {shoot)T}, T^°°^ = {^hasGun [shoot]!.} 

Given a dynamic domain we define £ = Uaeaa^"' ^ ~ Uaestcf^"' 
I = UaGaict-^'^- these sets are finite, because 2tct is finite and each of the 
X", I" is finite. 

Definition 2.11 An action theory T is a tuple of the form {S ,S , X ,T). 

For parsimony's sake, whenever there is no confusion we write S,S,X ,1 |=p, 
^ instead oiSUSUXUl hp^L ^• 

^Of course this would require a solution to the qualification problem |35|. 
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When performing the task of formahzing dynamic domains, we face the 
frame problem jSH] and the ramification problem |9;. In what follows we 
formally present the logic of actions in which action theories will henceforth 
be described. 

2.3 Dynamic logic and the frame problem 

As it was already expected, the logical formalism of PDL alone does not 
solve the frame problem. For instance, if {S ,S , X ,1) describes our shooting 
domain, then 

S,S,X,I has Gun ^ [load\hasGun. 

The same can be said about the ramification problem in what concerns 
the derivation of indirect effects not properly caused by the action under 
consideration. For example, 

S,S,X,I \=^^^_ [tease]alive. 

Thus, given an action theory {S ,S , X ,1), we need a consequence relation 
powerful enough to deal with the frame and ramification problems. This 
means that the deductive power of PDL has to be augmented in order to 
ensure that the only non-effects of actions that follow from the theory are 
those that are really relevant. The presence of static constraints makes that 
this is a delicate task, and starting with [211011, several authors have argued 
that some notion of causality is needed. We here opt for the dependence 
based approach presented in P], which has been shown in [Hj to subsume 
Reiter's solution to the frame problem [IJ, and moreover at least partially 
accounts for the ramification problem. 

In the logical framework developed in 0, metalogical information, given 
in the form of a dependence relation, is added to PDL. 

Definition 2.12 (Dependence relation jS]) A dependence relation is a 

binary relation ^ C 2tct x £it. 

The expression a ^ I denotes that the execution of action a may make 
the literal / true. In our example we have 

_ J {shoot, ^loaded), {shoot, ^ alive), 1 
1^ {shoot, -^walking) , {tease, walking) J ' 

which means that action shoot may make the literals -^loaded, alive and 
-^walking true, and action tease may make walking true. 
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Semantically, the dependence-based approach rehes on the explanation 
closure assumption The reasoning behind its solution to the frame 

problem consists in a kind of negation as failure: Because (load, -ihasGun) ^ 

we have load^ -^hasGun, i.e., ^hasGun is never caused by load. Thus, 
in a context where hasGun is true, after every execution of load, hasGun still 
remains true. We also have tease ^ alive and tease ^ -lalive. The meaning 
of all these independences is that the frame axioms hasGun — >• [load\hasGun, 
-lalive —>■ [teas e\-^ alive and alive [tease]alive hold. 

We assume ^ is finite. 

A dependence relation ^ defines a class of possible worlds models J^^. 

Definition 2.13 Given a-^-model ^ = {W, R, V), the satisfaction relation 
is defined as the smallest relation satisfying: 

• all the truth conditions of Definition 12.21 

• whenever wRaw' then: 

— p implies h^, p, if a -A p: 

w w' 

— = p imphes h= , p, it a -ip. 

w w' 

Given ^ G A^^, <P and T, |=^ <P and T are defined as in Defini- 
tion O 

Definition 2.14 A formula ^ is a ^-hased consequence of . . . ,^„} in 
the class of all -^-models (noted . . . , |=^ <P) if and only if for every 

-^-model if for every then \^ <P. 

In our example it thus holds 

S,S,X,I 1=^ hasGun [load\hasGun 

and 

S,£,X,I 1=;^ -lalive [teas e]-i alive. 

In this way, the dependence-based approach solves the frame problem. 
However, it does not entirely solve the ramification problem: while indirect 
effects such as loaded — > [shoot]^walking can be deduced with |^ without 
explicitly stating that in the set of effect laws for shoot, we still have to state 
indirect dependences such as shoot ^ ^walking. Nevertheless, according to 
Reiter's view: 
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"what counts as a solution to the frame problem ... is a system- 
atic procedure for generating, from the effect laws, ... a parsimo- 
nious representation for [all] the frame axioms" |42j . 

We comply with that as we can define a semi-automatic procedure for 
generating the dependence relation from the set of effect laws. Moreover, as 
it has been argued in jH ^] , our approach is in line with the state of the 
art because none of the existing solutions to the frame and the ramification 
problems can handle domains with both indeterminate and indirect effects. 

In the next section we turn to a metatheoretical analysis of action theories 
and make a step toward formal criteria for theory evaluation. Before that, 
we need a definition. 

Definition 2.15 Let {S ,S , X ,1) be an action theory and its associ- 
ated dependence relation. Then ^ = {W, R, V) is the big (alias maxi- 
mal/standard) model for {S ,S , X ,2) and if and only if: 

• ^ is a -^-model; 

• W= val{S) (all valuations of S); 

• Ra = {{w,w') : Vo9 — > \a\ih E £VM, if 1=^ (p, then ib\. 

L\ // 111 ' W IV' 

In the rest of the paper we characterize when an action theory with a 
dependence relation has a big model. 

3 Postulates 

"When does a given action theory have a model?" , and, more importantly, "is 
that model what we really expect from it?" are questions that naturally arise 
when we talk about action theories. Here we claim that all the approaches 
that are put forward in the literature are too liberal in the sense that we can 
have satisfiable action theories that are intuitively incorrect. We argue that 
something beyond the consistency notion is required in order to help us in 
answering those questions. 

We do not attempt here to provide a 'magical' method for making an 
action theory intuitive. Instead, what we are going to do in what follows is 
to provide some guidelines that help detecting unintuitive consequences of a 
theory and identifying its problematic part(s). 

Our central thesis is that the different types of laws define in Section 12.21 
should be neatly separated in different modules. Besides that, we want such 
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laws to interfere only in one sense: static laws together with action laws for 
a may have consequences that do not follow from the action laws for a alone. 
The other way round, action laws should not allow to infer new static laws, 
effect laws should not allow to infer inexecutability laws, action laws for a 
should not allow to infer action laws for a', etc. This means that our logical 
modules should be designed in such a way that they are as specialized and 
as little dependent on others as possible. 

A first step in this direction has been the proposed division of our entities 
into the sets S , £ , X and 1. In order to accomplish our goal, we have to di- 
minish interaction among such modules, rendering them the least interwoven 
we can. The rest of the section contains postulates expressing this. 

PC (Logical consistency): 5, f", A"",!" ^ ± 

The theory of a given action should be logically consistent. 

PS (No implicit static laws): 

if S.S^X^X" 1^ then S^^ 

If a classical formula can be inferred from the action theory, then it should 
be inferable from the set of static laws alone. (Note that on the left we use 
consequence in M.^^ while on the right we use consequence in classical logic: 
as both S and ip are classical, ip should be inferable from S in classical logic.) 

PI (No implicit inexecutability laws): 

if S,£\X\I^ 1=^ ^ [a]±, then S ,1" Hdl ^ ^ [«]^ 

If an inexecutability law for an action a can be inferred from its action theory, 
then it should be inferable in PDL from the static laws and the inexecutability 
laws for a alone. Note that we used instead of |=^ because we also 

suppose that neither frame axioms nor indirect effects should be relevant to 
derive inexecutability laws. The same remark holds for the postulates that 
follow. 

PX (No implicit executability laws): 

if S,£\X\X'^^^^^{a)T, then S,X^^^^^^-.{a)J 
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If an executability law for a can be inferred from its action theory, then it 
should already "be" in in the sense that it should also be inferable in 
PDL from the set of static and executability laws for a alone. 

Postulate PC is obvious, for we are interested in consistent theories. It 
can be shown that PX is a consequence of PS (see Corollary 18. Ij) . 

Thus, while PC is obvious and PX can be ensured by PS, things are less 
obvious for Postulates PS and PI: it turns out that for all approaches in 
the literature they are easily violated by action theories that allow to express 
the four kinds of laws. We therefore study each of these postulates in the 
subsequent sections by means of examples, give algorithms to decide whether 
they are satisfied, and discuss about what to do in the case the answer is 
'no'. 



4 No implicit static laws 

While executability laws increases expressive power, they might conflict with 
inexecut ability laws. Consider, for example, the following action theory: 

„ r ,, . T ^ n f \tease\walkinq, ^ 

= {walhng^ ahve}, = | ^^^^^^ _ IshoothaUve j ' 

Xi = {{tease)T}, = {^alive — > [iease]±} 
and the dependence relation: 

_ J {shoot, ^loaded), {shoot, ^ alive), 1 
[ {shoot, ^walking) , {tease, walking) j 

From this description we have the unintuitive xl'^"'^'^ ,Xl^°'^'^ \^ul 

turkey is immortal! This is an implicit static law because alive does not 

follow from alone: {5^,81^"'^, A'f '^^^^ Jf"*«) violates Postulate PS. 

How can we find out whether an action theory for a satisfies Postulate PS? 

Theorem 4.1 {S,£,X,1) and satisfy Postulate PS if and only if the 
big model for {S ,£ , X ,1) and is a model of {S,£ , X ,1) and 

Proof: 

(^): Let ^ = {W, R, V) he a. big model of {S ,£ , X ,X) and and suppose 
5 A ^ A A" A J is a model oi S VJ £ VJ X VJl). Then W = val{S), 
i.e., for all ip G ^ml and all w G W, ii \^ ^p, then there is a valuation v oi S 
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such that V makes ip true. From this it follows that if 1= ip for all w E W, 

w 

then (fi is true in all valuations of <S. Hence S,S,X ,1 ip impUes S \= (p, 
and then (5, X ,X) and satisfy Postulate PS. 

(<^=): Let .y£ = {W. R, y) be a big model of {S ,£ , X ,1) and Suppose 
{S,S, X ,X) and-^ do not satisfy Postulate PS. Then there must be G 5^ml 
such that S,£,X,T and iS ^ 99. This means that there is a valuation 

V oi S that falsifies (p. As v e W (because ^ is a big model) then ^ is not 
a model of (<S, £, X ,X) and ■ 

We shall give an algorithm to find a finite characterization of all^ implicit 
static laws of a given action theory (S ,8°", X"",!"-). The idea is as follows: 
for each executability law <^ — > (a)T in the theory, construct from £"■, X"' and 

a set of inexecutabilities {ipi [a]_L, . . . , — > [a] J-} that potentially 
conflict with ip — > (a)T. For each i, 1 < i < n, if A(/?j is satisfiable w.r.t. <S, 
mark -^{(p /\(p,j) as an implicit static law. Incrementally repeat this procedure 
(adding all the ->{ip A ipi) that were caught to S) until no implicit static law 
is obtained. 

For an example of the execution of the algorithm, consider {S-^, 8^'^°'^'^, Xl^"'^^, j^tease^ 
with ^ as above. For the action tease, we have the executability {tease)'T . 
Now, from 8['^°'^'^, j^tease g^j^j ^ ^j,y build an inexecutability for tease. 
We take [tease\walking and compute then all indirect effects of tease w.r.t. 
S^. From walking alive, we get that alive is an indirect effect of tease, 
giving us [tease\alive. But {tease, alive) ^ which means the frame axiom 
-'alive — > [tease\—>alive holds. Together with [tease\alive, this gives us the 
inexecutability -'alive — > [tease]±. As Si U {T,-ialive} is satisfiable (T is 
the antecedent of the executability ( tease) T), we get -> alive — > ±, i.e., the 
implicit static law alive. For this example no other inexecutability for tease 
can be derived, so the computation stops. 

Before presenting the pseudo-code of the algorithm we need some defini- 
tions. 

Definition 4.1 Let (p e ^ml and x ^ clause, x is an implicate of ip if and 
only if (p 1= X- 

In our running example, alive is an implicate of the set of formulas 
{walking alive, walking}. 

Definition 4.2 Let (p e ^ml and x a clause, x is a prime implicate of (p if 
and only if 

^Actually what the algorithm does is to find an interpolant of all implicit static laws 
of the theory. 
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• X is an implicate of and 

• for every implicate x' of ^9, x' 1= X implies x\= x' ■ 

The set of all prime implicates of a formula (p is denoted PI [if). 

For example, the set of prime implicates of Pi is just {pi}, and that of 
Pi A {^Pi V P2) A {^Pi V V P4) is {j*;^, P2, P3 V 2)4}. In our shooting domain, 
alive is a prime implicate of {walking —>■ alive, walking}. For more on prime 
imphcates and their properties, see pS] . 

Definition 4.3 Let (p,^ E ^ml Then A^ewCons^(^/') = PI{(p A^Ij)\ PI{v). 

The function NewCons^p{il)) computes the new consequences of p w.r.t. 
'?/': the set of strongest clauses that follow from fAip, but do not follow from 
ip alone (cf. e.g. It is computed by subtracting the prime implicates of 

(f from those of p Aip. For example, NewConSp^{{-^Pi V P2) A {-^Pi ^ p-i^Z 
Pi)) = {P2,P3 V Pi}- And for our scenario, NewCons^aiking^aiive{waMng) = 
{alive, walking}. 

The algorithm below improves the one in [SHj by integrating a solution 
to the frame problem (via the dependence relation As a matter of 

notation, we define = S"" U 1°" as the set of all formulas expressing the 
direct consequences of an action a, whether they are consistent or not. 

Algorithm 4.1 (Finding all implicit static laws induced by a) 
input: (5,^^ A"*,X'^) and --^ 

output: Simp*, the set of all implicit static laws of {S ,8°', 

Simp* • ~ 

repeat 

Simp • ~ 

for all p {a)T G do 

for all C^CC such that C" ^ do 

for all X ^ NewConss{iJca) do 

if 5 U U -ix} ± and V4 G x, a 7^ 4 then 

'^imp : = Simp U {^(v9 A v^c" A ~^X)} 

Simp* • ~ Simp* U Simp 

until = 
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In each step of the algorithm, S U Simp* is the updated set of static laws 
(the original ones fed with the implicit laws caught up to that point). At the 
end, Simp* collects all the implicit static laws. 

Theorem 4.2 Algorithm 14. II terminates. 

Proof: Let C = S°'Ul"'. First, the set of candidates to be an implicit static 
law that might be due to a and that are examined in the repeat-loop is 

{^{lP a (fie- ^ ^X) ■ C'^ ^ C", ^ (a)T e and x e NewConss{ipc-)} 

As and X"- are finite, this set is finite. 

In each step either the algorithm stops because Simp = 0) or at least one 
of the candidates is put into Simp in the outermost for-loop. (This one ter- 
minates, because X"-, C"' and NewCons are finite.) Such a candidate is not 
going to be put into Simp in future steps, because once added to 5 U Simp*, 
it will be in the set of laws S U Simp* of all subsequent executions of the out- 
ermost for-loop, falsifying its respective if-test for such a candidate. Hence 
the repeat-loop is bounded by the number of candidates, and therefore Al- 
gorithm ^3 terminates. ■ 

This is the key algorithm of the paper. We are aware that it comes 
with considerable computational costs: first, the number of formulas ip^-a 
and tp^'a is exponential in the size of C*, and second, the computation of 
NewCons s{ijj^-a) might result in exponential growth. While we might expect 
C"' to be reasonably small in practice (because S"' and X"' are in general small), 
the size of NewCons sii'c'^) niore difficult to control. 

Example 4.1 For Jf'^*'^), Algorithm gU returns S,mp* = 

{alive}. 

Theorem 4.3 An action theory {S, £"■, X", X") with satisfies Postulate PS 
if and only if Simp* = 0- 

Proof: See Appendix 1X1 ■ 

Theorem 4.4 Let Simp* be the output of Algorithm l4.1l on input (5, 8°-, X", X°-) 
and Then 

1. {S U Simp*, 8°", X°-,X°') has no implicit static law. 

2. S ,8"", X'^,X°' 1= /\Simp*- 
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Proof: Item ^ is straightforward from the termination of Algorithm 14.11 
and Theorem 14.31 Item |21 follows from the fact that by the if-test in Algo- 
rithm the only formulas that are put in Simp* at each execution of the 
repeat-loop are exactly those that are implicit static laws of the original 
theory. ■ 

Corolary 4.1 For all if G Jml, S, S", X", if if and only if SUSimp* h 

If. 

Proof: For the left-to-right direction, let ip E ^ml be such that S, £"', X'^, 2°- \= 
if. Then S U Simp*, X",!" f, by monotonicity. By Theorem lOim.^ 
{S U Simp*, X"',T"-) has no implicit static law, hence S U Simp* \= ^■ 
The right-to-left direction is straightforward by Theorem I4.4l l^ ■ 

What shall we do once we have discovered an implicit static law? 

The existence of implicit static laws may indicate too strong executability 
laws: in Example 14.11 we wrongly assumed that tease is always executable. 
Thus one way of 'repairing' our theory would be to consider the weaker 
executability alive ^ {tease)T instead of {tease)T in A'*'^'""^. 

On the other hand, implicit static laws may also indicate that the inexe- 
cutability laws are too strong: 

Example 4.2 Consider 5 = 0, 8'^"°^ = {loaded [shoot]^aHve}, X'^""^ = 
{has Gun — > {shoot)T} and 1'^^°°*' = {[shoot]!.}, with ^ still as above. For 
this theory Algorithm 14. II returns Simp* = {~'hasGun}. 

In Example 14.21 we discovered that the agent never has a gun. The prob- 
lem here can be overcome by weakening [shoot]! in 2^^°°* with -thasGun — > 
[shoot] !.^ 

We can go further on this reasoning and also argue that the problem 
may be due to a too strong set of effect laws or even to too strong frame 
axioms (i.e., a too weak dependence relation). To witness, for Example \4.1\ 
if we replace the law [tease]walking by the weaker alive — > [tease]walking, the 
resulting action theory would satisfy Postulate PS. In the same way, stat- 
ing the (unintuitive) dependence tease ^ alive (which means the frame ax- 
iom -lalive [tease]-i alive is no longer valid) guarantees satisfaction of PS. 
(Note, however, that this solution becomes intuitive when alive is replaced 
by awake.) 

^Regarding Examples 14.11 and 14.21 one might argue that in practice such silly errors 
will never be made. Nevertheless, the examples here given are quite simplistic, and for 
applications of real interest, whose complexity will be much higher, we simply cannot rely 
on the designer's knowledge about all side effects the stated formulas can have. 
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To finish, implicit static laws of course may also indicate that the static 
laws are too weak: 



Example 4.3 Suppose a computer representation of the line of integers, in 
which we can be at a strictly positive number, pos, or at a negative one 
or zero, -ipos. Let maxint and minint, respectively, be the largest and the 
smallest representable integer number. goLeft is the action of moving to the 
biggest integer strictly smaller than the one at which we are. Consider the 
following action theory for this scenario {ati means we are at number i): 

S = {ati —>■ pos : < i < maxint} U {ati ^ -^pos : minint < i < 0} 

^ ^ {atrainint ^ [goLeft]underflow}U = { ( oLeft)T} J = 
{ati [goLeft]ati^i : i > minint}, 

with the dependence relation {minint < i < maxint): 

{goLeft, ak), {goLeft, pos), 
{goLeft, -'pos), {goLeft, underflow) 

Applying Algorithm 14. II to this action theory gives us all the implicit static 
laws of the form -^{atiAatj), i ^ j, i.e., we cannot be at two different numbers 
at the same time. 

To summarize, in order to satisfy Postulate PS, an action theory should 
contain a complete set of static laws or, alternatively, should not contain too 
strong action laws. 

Remark 4.1 S U Simp* in general is not intuitive. 

Whereas in the latter example the implicit static laws should be added 
to S, in the others the implicit static laws are unintuitive and due to an 
(in)executability law that is too strong and should be weakened. Of course, 
how intuitive the modified action theory will be depends mainly on the knowl- 
edge engineer's choice. 

To sum it up, eliminating implicit static laws may require revision of S, 
S°- or or completion of A*" and X". Completing X"- is the topic we address 
in the next section. 



5 No implicit inexecutability laws 

Let = iSj^, = ^1 = (executabilities do not matter here), and 

let ^ be that for {Si,£i,X^,Ii). Note that (52, £^25 '^25^2) satisfies Postu- 
late PS. From [tease]walking it follows with ^2 that [tease]alive, i.e., in every 
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situation, after teasing the turkey, it is alive: S2,£2^°''^^ |=p>p|_ [tease\alive. Now 
as tease 7^ alive, the status of alive is not modified by tease, and we have 
£2''"'^^ 1^ '^O'live [tease\-i alive. From the above, it follows 

52,8^'"'', X^'"'',!^'"'' \=^ alive ^ [tease]±, 

i.e., an inexecutability law stating that a dead turkey cannot be teased. But 

hence Postulate PI is violated. Here the formula -> alive —>■ [tease] _L is an 
example of what we call an implicit inexecutability law. 

In the literature, such laws are also known as implicit qualifications [TT] . 
and it has been often supposed, in a more or less tacit way, that it is a 
positive feature of frameworks to leave them implicit and provide mechanisms 
for inferring them pTH EH] . The other way round, one might argue as well 
that implicit qualifications indicate that the domain has not been described 
in an adequate manner: the form of inexecutability laws is simpler than 
that of effect laws, and it might be reasonably expected that it is easier to 
exhaustively describe them.^ Thus, all inexecutabilities of a given action 
should be explicitly stated, and this is what Postulate PI says. 

How can we check whether PI is violated? We can conceive an algorithm 
to find implicit inexecutability laws of a given action a. The basic idea is as 
follows: for every combination of effect laws of the form A ... A ipn) —>■ 
[a]('?/'i A. . .Aipn), with each ipi — > [a]ipi G S"', if (piA. . .Aipn is consistent w.r.t. 
to S , ipiA. . .Aipn inconsistent w.r.t. S, and S,I°' (v'l A. . .Aipn) — * [f^J-L, 
then output A ... A (fn) [a]-L as an implicit inexecutability law. Our 
algorithm basically does this, and moreover takes into account dependence 
information. 

For an example of the execution of the algorithm, take (iSg, 82'^"'^'^, X^°'^'^, X^"-^^) 
with as given above. From £2'^°-'^'^ we get T — >■ [tease]walking, whose 
antecedent is consistent with S. As -> alive —>■ [teas e]-i alive and S U 
{walking} \= alive, and because S ,11^"'''^ (T ^ ^alive) [tease]-L, we 
caught an implicit inexecutability. As there is no other combination of effect 
laws for tease, we end the simulation here. 

Below is the pseudo-code of the algorithm for that (the reason ^Y"^ is not 
needed in the input will be made clear in the sequel): 

Algorithm 5.1 (Finding implicit inexecutability laws for a) 

®Note that this concerns the necessary conditions for executabihty, and thus it is not 
related to the quahfication problem, which basically says that it is difficult to state all the 
sufficient conditions for executabihty. 
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input: {S, S "■,!"■) a.iad ^ 

output: I^^p, the set of implicit inexecut ability laws for a 
1" : = 

imp ^ 

for all ^« C ^'^ do 

for all X ^ NewConssijp^a) do 

if V/i G X, ai^k and 5, J^F A ^x) ^ [«]^ then 

Theorem 5.1 Algorithm 15. II terminates. 

Proof: Straightforward, as we have assumed 1 and finite, and 

NewCons is finite (because S and '?/'^-a are finite). ■ 

Example 5.1 Consider 82"'^^ ,12^"'^^ and as given above. Then Algo- 
rithm EIU returns Tl^p^ = {^alive — > [tease]±}. 

Nevertheless, to apply Algorithm 15.11 is not enough to guarantee Postu- 
late PI, as illustrated by the following example: 

Example 5.2 (Incompleteness of Algorithm 15.11 without PS) Let 5 = 

0, = {p^ [a]p2}, = {{a)T}, J" = and 'v^= 0. Then 

we have S ,8°', X"',!"' \= Pi —>■ but after running Algorithm 15.11 on 

{S,S'',X-,I-) we have 5,21^ ^^^^ p, ^ [a]±. 

Example 15.21 shows that the presence of implicit static laws (induced by 
executabilities) implies the existence of implicit inexecutabilities that are 
not caught by Algorithm 15.11 One possibility of getting rid of this is by 
considering the weaker version of PI: 

PI' (No implicit inexecutability laws — weak version): 

a S^S^^X",!" h^f^ [a]±, and S^S^^X^,!" ^ ^yp, 

then5,J'^hpDL<^^[«]^ 

If a non-trivial inexecutability law for a given action a can be inferred from 
its respective theory, then it should be inferable in PDL from the static and 
inexecutability laws for it alone. 

With an adaptation of Algorithm 15 . II to take A"*^ in its input and support 
a test for satisfiability of an inexecutability's antecedent, we could guarantee 
completeness with respect to Postulate PI'. However such a test has the same 
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complexity of checking whether Postulate PS is satisfied. That is the reason 
we keep abide on PI and require {S, X°-,T°-) to satisfy Postulate PS prior 
to running Algorithm 15.11 This gives us the following result: 

Theorem 5.2 If {S ,8", X",!") with ^ satisfies Postulate PS, then it sat- 
isfies Postulate PI if and only if T^^^ = 0. 

Proof: See Appendix iBl ■ 

With Algorithm 15. not only do we decide whether Postulate PI is sat- 
isfied, but we also get information on how to "repair" the action theory. The 
set of imphcit inexecutabilities so obtained provides logical and metalogical 
information concerning the correction that must be carried out: in the first 
case, elements of X^^^ can be added to 1°", in the second one, 1^^^ helps in 
properly changing S"" or For instance, to correct the action theory of our 
example, the knowledge engineer would have the following options: 

1. Add the qualification -> alive — > [tease] ± to l^^"''^^] or 

2. Add the (unintuitive) dependence {tease, alive) to ^] or 

3. Weaken the effect law [tease\walking to alive —>■ [tease\walking in S^^"'^^, 

It is easy to see that whatever she opts for, the resulting action theory for 
tease will satisfy Postulate PI (while still satisfying PS). 

Example 5.3 (Drinking coffee |19] ) Suppose, for instance, a hypotheti- 
cal situation in which we reason about the effects of drinking a cup of coffee: 

drink _ j sugar ^ [drink]happy, 1 -y drink _ n- drink 



' [ salt ^ [drink]^ happy j' 

and the dependence relation 

^= {{drink, happy), {drink, -ihappy)} 

Observe that {S, £'^™^^ p^dnnk^jdnnk^ satisfies PS. Then, running Algorithm l5.1l 
on this action theory will give us Tf™^ = {{sugar A salt) [drink]!.}. 

Remark 5.1 X" UX^^ is not always intuitive. 

Whereas in Example 15.11 we have got an inexecutability that could be 
safely added to X^"''^'^, in Example 15.31 we got an inexecutability that is un- 
intuitive (just the presence of sugar and salt in the coffee precludes drinking 
it). In that case, revision of other parts of the theory should be considered in 
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order to make it intuitive. Anyway, the problem pointed out in the depicted 
scenario just illustrates that intuition is beyond syntax. The scope of this 
work relies on the syntactical level. Only the knowledge engineer can judge 
about how intuitive a formula is. 

In what follows we revisit our postulates in order to strengthen them to 
the case where more than one action is under concern and thus get results 
that can be applied to whole action theories. 

6 Generalizing the postulates 

We have seen the importance that satisfaction of Postulates PC, PS and PI 
may have in describing the action theory of a particular action a. However, 
in applications of real interest more than one action is involved, and thus a 
natural question that could be raised is "can we have similar metatheoretical 
results for complex action theories"? 

In this section we generalize our set of postulates to action theories as a 
whole, i.e., considering all actions of a domain, and prove some interesting 
results that follow from that. As we are going to see, some of these results 
are straightforward, while others must rely on some additional assumptions 
in order to hold. 

A generalization of Postulate PC is quite easy and has no need for justi- 
fication: 

PC* (Logical consistency): S,£,X,X ^ ± 

The whole action theory should be logically consistent. 
Generalizing Postulate PS will give us the following: 

PS* (No implicit static laws): 

if S,8,X,X ^ then S \=^^ ^ 

If a classical formula can be inferred from the whole action theory, then it 
should be inferable from the set of static laws alone. We have the following 
results: 

Theorem 6.1 {S,8,X,X) satisfies PS* if and only if {S ,8", X",!") satis- 
fies PS for all a e 2lct. 
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Proof: 

(=^): Straightforward. 

(<^): Suppose {S,8,X,I) does not satisfy PS*. Then there is </? e ^ml 
such that S ,£ ^1 ip and S Y= ip. (/? is equivalent to (/?! A . . . A with 
. . . , (y9„ G and such that there is at least one ipi such that S \^ ipi 
(otherwise S \= (p). Because the logic is independently axiomatized, there 
must be some a e 2lct such that <S, £"", X°-,X°' \= (pi. Prom this and S tpi 
it follows that (5, S", X", I") does not satisfy PS. ■ 

Theorem 6.2 li{S,S,X,l) satisfies PS*, then {S,E,X,X) satisfies PC* 
if and only if (5, X",!") satisfies PC for all a e 2lct. 

Proof: Straightforward as the underlying logic is independently axiomatized. 
■ 

A more general form of Postulate PI can also be stated: 
PI* (No implicit inexecutability laws): 

if »S, A'jX 9? — > [a]_L, then S ,1 \=,^^ ip ^ [a\l. 

If an inexecutability law can be inferred from the whole action theory, then 
it should be inferable in PDL from the static and inexecutability laws alone. 

Note that having that {S , £"", X^,J°') satisfies PI for all a E 2lct is not 
enough to {S,£, X ,1) satisfy PI* if there are implicit static laws. To witness, 
let 5 = = 0, and X''^ = {(ai)T}, J'^^ = W ^ Let also S"^ = 

p^a2 ^ ja2 ^ Observe that both (5, and {S,£^\X''^,I''^) 
satisfy PI, but S ,S , X ,T p [(12]-^ and S,I 'P — > [a2]-L. 

Nevertheless, under PS* the result follows: 

Theorem 6.3 Let {S,8,X,X) satisfy PS*. {S,£,X,I) satisfies PI* if and 
only if {S, A'^T") satisfies PI for all a e 2lct. 

Proof: 

(=4>): Suppose that S ,8°-, X"-,!" \^ p ^ [a]-L- By monotonicity of |^, 
S,£,X,I ^ ^ [a]±, too. Asl^S,£'',X satisfies PI*, S,I ^p^^ 

ip [a]±. 

Now suppose that S,!"" p [f*]-L- Then there exists a possible 

worlds model ^ = ( W. Ra, V) such that S /\T°' and there is a possible 
world V e H^such that |= p and ^ [a]±. Let = {W , R' , V) be such 

that W = W, V = V, R'^> = dl, for a' ^ a, and R'^ = Ra- Then S Al, 
and as S,T |== pi —>■ [a]_L, we get a contradiction. 
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(<^): Suppose that {S,£,X,X) does not satisfy PI*. Then there exists 
(/? e such that S,£,X,X \=_^(p ^ [a]± and S,X YpQ\_ ~^ ['^l-'-- 
Claim: <S,f", <^ ^ 0^- 

To witness, suppose S jS"', X"',!'^ ^ — > [a]±. Then there exists a 

possible worlds model ^ = {W, Ra, V) such that \^ S A S"" A X"" Al" and 
there is a possible world v G Pl^ such that if and ^ [fl]-L, i.e., there is 
v' E W such that i?a(v) = v'. (We are going to extend ^ to be a model of 
(cS,£,A',J).) 

For each a' e 2lct, a' 7^ a, we define: 

= : ^ [a']^ e and i^} 
I<^'{w) ^ {if : if ^ [o!\L e I"' and ^ (/?} 
= {(^ : ^ ^ (a')T e A""' and ^ (^} 
Let .y^' = {W,R!, V) be such that W ^ W, R' = ii„ U (Ja^a -^a'' and 
V' = F, where for each a! and every world w e W^: 

• =0, ifX«'(«;) ^0; 

• =w', if f^'K) 7^0. 

Because, by hypothesis, {S,£,X,X) satisfies PS*, there is no implicit static 
law, i.e., S is complete in our sense. Then, is a model of S. We have 
that is a model of £^ too: for every ip [a\il) G £ and every w G W , 

if then for all G H/' such that wR'w'. Clearly is also 

a model of X. is a model of X, too: it is a model of X"^ and for every 
a' a and all those worlds w e W such that X"-' (w) ^ there is a world 
accessible by i?', viz. some w' such that £^ {w') 7^ (because R'{w) = 
in this case would preclude X"'' (w) 7^ 0, as long as PS* is satisfied). Thus 
1= S A£ AX Al, but if this is the case, S ,£ , X ,X ip [c^]-L, hence we 
must have S, £"", X°',X°' ^ i^]-^- (End of the proof of the claim.) 

Prom S,I ip ^ [a]± it follows S,I°- ^^^^ ip [a]±. Putting all the 
results together, we have that {S ,£"', X'^,X"') does not satisfy Postulate PI. 
■ 

In the next section we make a step toward an attempt of amending our 
modularity criteria by investigating possible extensions of our set of postu- 
lates. 
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7 Disturbing modularity 



Can we augment our set of postulates to take into account other modules 
of action theories or even other metatheoretical issues in reasoning about 
actions? That is the topic we discuss in what follows. 



7.1 Postulates about effects of actions 

It seems to be in line with our postulates to require action theories not to 
allow for the deduction of new effect laws: if an effect law can be inferred 
from an action theory (and no inexecutability for the same action in the same 
context can be derived) , then it should be inferable from the set of static and 
effect laws alone. This means we should have: 

PE (No implicit effect laws): 

a S ,S , X ,1 (p ^ [a]ip and S,£,X,I f ^ [^l-L; 
then S,S (fi ^ [a]ip 

But consider the following intuitively correct action theory: 

^ _0 S —{ loaded-^ [shoot]^ alive, 1 
^ ' ^ I {^loaded A alive) — > [shoot]alive J 

A'4 = {hasGun — > {shoot)T}, — {->hasGun — > [s/ioo^]±} 

together with the dependence shoot ^ -'alive. It satisfies Postulates PS* 
and PI*, but does not satisfy PE. Indeed: 



and 
but 



£4, A'4,X4 ^ -lhasGunV loaded^ [shoot]-i alive 

S^,S^,X^,T^ ^ -yhasGuny loaded^ [5/ioot]_L, 
54,^4 ^ -ihasGuny loaded-^ [shoo1]-^alive 



So, Postulate PE would not help us to deliver the goods. 

Another possibility of improving our modularity criteria could be: 

P± (No unattainable effects): 

if </? — > [a\%l) e then 5, A',X ^ Lp ^ [a]_L 
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This expresses that if we have exphcitly stated an effect law for a in some 
context, then there should be no inexecutability law for the same action in 
the same context. It is straightforward to design an algorithm which checks 
whether this postulate is satisfied. We do not investigate this further here, 
but just observe that the slightly stronger version below leads to unintuitive 
consequences: 

P±' (No unattainable effects — strong version): 

if S,£ — > [alip, then S ,S , X ,T (p ^ [a]± 

Indeed, for the above action theory we have 

^4 1^ {^hasGun A loaded) [shoot]^alive, 

but 

S^,£^, ir^hasGun /\ loaded) [shooi\^.. 

This is certainly too strong. Our example also illustrates that it is sometimes 
natural to have 'redundancies' or 'overlaps' between £ and X. Indeed, as we 
have pointed out, inexecutability laws are a particular kind of effect laws, and 
the distinction here made is conventional. The decision of considering them 
as strictly different entities or not depends mainly on the context. At a rep- 
resentational level we prefer to keep them separated, while in Algorithm 14.11 
we have mixed them together in order to compute the consequences of an 
action. 

In what follows we address the problem of completing the set of exe- 
cutability laws of an action theory. 

7.2 Maximizing executabilities 

As we have seen, implicit static laws only show up when there are executabil- 
ity laws. So, a question that naturally raises is "which executability laws can 
be consistently added to a given action theory?" . 

A hypothesis usually made in the literature is that of maximization of 
executabilities: in the absence of a proof that an action is inexecutable in a 
given context, assume its executability for that context. Such a hypothesis 
is captured by the following postulate that we investigate in this section: 

PX+ (Maximal executability laws): 

if 5,£'',A"^,T'' ^ ^ ^ then 5, A"* |=pp^ ^ (a)T 
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Such a postulate expresses that if in context ip no inexecutabihty for a can 
be inferred, then the respective executabihty should follow in PDL from the 
executability and static laws. 

Postulate PX"^ generally holds in nonmonotonic frameworks, and can 
be enforced in monotonic approaches such as ours by maximizing X"". We 
nevertheless would like to point out that maximizing executability is not 
always intuitive. To witness, suppose we know that if we have the ignition 
key, the tank is full, . . ., and the battery tension is beyond lOV, then the car 
(necessarily) will start. Suppose we also know that if the tension is below 
8V, then the car will not start. What should we conclude in situations where 
we know that the tension is 9V? Maximizing executabilities makes us infer 
that it will start, but such reasoning is not what we want if we would like to 
be sure that all possible executions lead to the goal. 

8 Exploiting modularity 

In this section we present other properties related to consistency and modu- 
larity of action theories, emphasizing the main results that we obtain when 
Postulate PS* is satisfied. 

Theorem 8.1 If {S,£,X,X) satisfies Postulate PS*, then S,8,X,X^^ 1. 
if and only if 5 |= J-. 

This theorem says that if there are no implicit static laws, then consistency 
of an action theory can be checked by just checking consistency of S. 

Theorem 8.2 If {S,S,X,T) satisfies Postulate PS*, then S,S,X,I \=^ 
(p [a]ijj if and only if S, 8°',!°' ^ </? ^ [a]ijj. 

Proof: 

(<^=): Straightforward, by monotonicity. 

Suppose that S,£°',X°' ^ ^ [a]'0- Then there exists a possible 

worlds model e M^, ^ = {W,Ra,V), such that \^ S KE" KZ" and 
there is a possible world v e W^such that \^ </? and ^ [a]'0, i.e., there is 

v' ^ W such that Ra{v) — v' and ^ (We are going to extend ^ to 
obtain a model of {S,£, X ,X) and thus show that S,S,X,I (f ^ 
For each a' e 2lct, a' ^ a, we define: 

E^{w) = : ^ {d\i\} G E'^ and ^ ^} 
Z'^iw) = {(^ : ^ [a']± e and \^ 
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= : 99 ^ (a')T e X^' and ^ ^} 
Let = (H^, i?', l^) be such that W = W, R! = RaVJ UaVa^«'' 
1/ = F, where for each d and every world w & W: 

• R'{w) = 0, iil^'im) ^ 0; 

• i?'H if 7^0. 

Because, by hypothesis, (5, satisfies PS*, there is no imphcit static 

law, i.e., S is complete in our sense. Then, is a model of S. We have 
that is a model of £, too: for every (f — > [a]'^ e £ and every w e W^, 

if \^ (f, then |=^ for all w' E W such that wR'w'. Clearly is also 
a model of X. is a model of X , too: it is a model of X"" and for every 
a' ^ a and all those worlds w E W such that A"*^ (w) 7^ there is a world 
accessible by i?', viz. some w' such that £^{w') 7^ (because = in 

this case would preclude X'^^w) ^ 0, as long as PS* is satisfied). Hence 
1= S t\E t\X t\X. Because there are v^v' E W such that ^ </?, -R'(t') = v' 

and ^ we have 5, A',X ^ ^ [ajV'. ■ 
This means that under PS* we have modularity inside too: when 

deducing the effects of a we need not consider the action laws for other 
actions. Versions for executability and inexecutability can be stated as well: 

Theorem 8.3 If (5,£,A',X) satisfies Postulate PS*, then S,E,X,Z ^ 
(a)T if and only if <S, A"" (/? ^ («)T. 

Proof: 

(<^=): Straightforward, by monotonicity. 

(=^): Suppose that S^X'^ ^ ip — ^ («)T. Then there exists a possible 

worlds model M E Al^, M = {W^Ra, V), such that S /\ X°- and 
there is a possible world v E W such that </? and ^ («)T. (We are 
going to extend J!^ to build a model of {S,£,X,X) and thus conclude that 
5,£,A',X^ (a)T.) 

For each a' E 2lct, d ^ a, we define: 

£^[w) = {^:^^ [a']ij E and ^ ^} 
I^'{w) = {^:(p^ [a']± E I"' and ^} 
X'^{w) = {^:^^ (a')T E X"' and \^ Lp} 
Let ^' ^ {W, R', V) be such that W ^ W, R' ^ RaU Ua^a 
V' = F, where for each a' and every world w E W: 
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• R'{w) = 0, if J"'(u;) ^ 0; 



• R'{w) = w', if ^0. 

Because, by hypothesis, {S,S, satisfies PS*, there is no imphcit static 

law, i.e., S is complete in our sense. Then, is a model of S. We have 
that is a model of S, too: for every ip [ajip G S and every w G W, 

if 1=^ then |=^, ip for all ty' G W' such that wR'w'. Clearly is also 
a model of X. is a model of X , too: it is a model of A''* and for every 
d ^ a and all those worlds w ^ W such that X"^ [yS) ^ there is a world 
accessible by i?', viz. some such that E"^ {w') ^ (because R!{w) = in 
this case would preclude X"-' {w) ^ 0, as long as PS* is satisfied). Hence 
1= S /\£ /\ X /\T . Because there is f G such that 1= ip and (a)T, 
we \ime S ,£ , X ,T if {a)T . ■ 

Corolary 8.1 PX is a consequence of PS. 



Proof: Straightforward. ■ 

Theorem 8.4 If (5, A", X) satisfies Postulates PS* and PI*, then 5, ^, A', J ^ 
[a]_L if and only ii S ,X"' ip [^]-L- 

Proof: 

(<^=): Straightforward, by monotonicity. 

(^): \{ S^£,X^1 \= V? ^ ['^]-L; then from PS* and Theorem 18.21 we have 
5,^", J'^ h^V^ [a]L. From this and PI* it follows S.X" |^ ^ [a]±. ■ 



9 Related work 

Pirri and Reiter have investigated the metatheory of the Situation Calcu- 
lus jSH]- In a spirit similar to ours, they use executability laws and effect 
laws. Contrarily to us, their executability laws are equivalences and are thus 
at the same time inexecutability laws. As they restrict themselves to domains 
without ramifications, there are no static laws, i.e., 5 = 0. For this setting 
they give a syntactical condition on effect laws guaranteeing that they do 
not interact with the executability laws in the sense that they do not entail 
implicit static laws. Basically, the condition says that when there are effect 
laws ipi — > [a\%lj and — > [o] then ipi and are inconsistent (which 
essentially amounts to having in their theories a kind of "implicit static law 
schema" of the form -i(v9i A ^2))- 
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This then allows them to show that such theories are always consistent. 
Moreover they thus simplify the entailment problem for this calculus, and 
show for several problems such as consistency or regression that only some 
of the modules of an action theory are necessary. 

Amir focuses on design and maintainability of action descriptions ap- 
plying many of the concepts of the object-oriented paradigm in the Situation 
Calculus. In that work, guidelines for a partitioned representation of a given 
theory are presented, with which the inference task can also be optimized, 
as it is restricted to the part of the theory that is really relevant to a given 
query. This is observed specially when different agents are involved: the de- 
sign of an agent's theory can be done with no regard to others', and after the 
integration of multiple agents, queries about an agent's beliefs do not take 
into account the belief state of other agents. 

In the referred work, executabilities are as in |^ and the same condi- 
tion on effect laws is assumed, which syntactically precludes the existence of 
implicit static laws. 

Despite of using many of the object-oriented paradigm tools and tech- 
niques, no mention is made to the concepts of cohesion and coupling [30], 
which are closely related to modularity jTHI. In the approach presented in [T], 
even if modules are highly cohesive, they are not necessarily lowly coupled, 
due to the dependence between objects in the reasoning phase. We do not 
investigate this further here, but conjecture that this could be done there by, 
during the reasoning process defined for that approach, avoiding passing to 
a module a formula of a type different from those it contains. 

The present work generalizes and extends Pirri and Reiter's result to the 
case where 5 7^ and both these works where the syntactical restriction 
on effect laws is not made. This gives us more expressive power, as we can 
reason about inexecutabilities, and a better modularity in the sense that we 
do not combine formulas that are conceptually different (viz. executabilities 
and inexecutabilities). 

Zhang et al. ^Hl have also proposed an assessment of what a good ac- 
tion theory should look like. They develop the ideas in the framework of 
EPDL |42|, an extended version of PDL which allows for propositions as 
modalities to represent causal connection between literals. We do not present 
the details of that, but concentrate on the main metatheoretical results. 

Zhang et al. propose a normal form for describing action theories,^ and 
investigate three levels of consistency. Roughly speaking, an action theory T 

^But not as expressive as one might think: For instance, in modehng the nondetermin- 
istic action of dropping a coin on a chessboard, we are not able to state [drop\{hlack W 
white). Instead, we should write something like [drop^^^^JftZacfc, [drop^f^^^glwhite, 
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is uniformly consistent if it is globally consistent (i.e., T ^pf^^_ -L); a formula 
^ is T- consistent if T ^pj^^ ^ uniformly consistent theory; T 

is universally consistent if (in our terms) every logically possible world is 
accessible. T |=|ppL V implies |=|ppL V'- 

Furthermore, two assumptions are made to preclude the existence of im- 
plicit qualifications. Satisfaction of such assumptions means the action the- 
ory under consideration is safe, i.e., it is uniformly consistent. Such a normal 
form justifies the two assumptions made and on whose validity relies their 
notion of good action theories. 

Given these definitions, they propose algorithms to test the different ver- 
sions of consistency for an action theory T that is in normal form. This 
test essentially amounts to checking whether T is safe, i.e., whether T hip^^ 
(a)T, for every action a. Success of this check should mean the action theory 
under analysis satisfies the consistency requirements. 

Nevertheless, this is only a necessary condition: it is not hard to imagine 
action theories that are uniformly consistent but in which we can still have 
implicit inexecutabilities that are not caught by their algorithm. Consider 
for instance a scenario with a lamp that can be turned on and off by a toggle 
action, and its EPDL representation given by: 



The causal statement [on]-ioff means that on causes -^ojf. Such an action 
theory satisfies each of the consistency requirements (in particular it is uni- 
formly consistent, as T ^p^^ -L)- Nevertheless, T is not safe for the static 
law -'{on A off) cannot be proved. 

Although they are concerned with the same kind of problems that have 
been discussed in this paper, they take an overall view of the subject, in 
the sense that all problems arc dealt with together. This means that in 
their approach no special attention (in our sense) is given to the different 
components of the action theory, and then every time something is wrong 

[droPbiack,whiteWack and [drophi^^^,^^^,t^]white, where drop^i^^^. is the action of dropping 
the coin on a black square (analogously for the others) and drop = dropi^i^^^i^ U drop,^y^^^^ U 
d'''0Puack,whitei with "U" the nondeterministic composition of actions. 

possible solution could be to consider the set of static constraints explicitly in 
the action theory (viz. in the deductive system). For the running example, taking into 
account the constraint on -lOjff (derived from the causal statements and the EPDL global 
axioms), we can conclude that T is safe. On the other hand, all the side effects such a 
modification could have on the whole theory has yet to be analyzed. 
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with it this is taken as a global problem inherent to the action theory as a 
whole. Whereas such a "systemic" view of action theories is not necessarily 
a drawback (we have just seen the strong interaction that exists between 
the different sets of laws composing an action theory), being modular in our 
sense allows us to better identify the "problematic" laws and take care of 
them. Moreover, the advantage of allowing to find the set of laws which 
must be modified in order to achieve the desired consistency is made evident 
by the algorithms we have proposed (while their results only allow to decide 
whether a given theory satisfies some consistency requirement). 

Lang et al. j2ZI address consistency in the causal laws approach |31j, fo- 
cusing on the computational aspects. They suppose an abstract notion of 
completion of an action theory solving the frame problem. Given an action 
theory T"' containing logical information about a's direct effects as well as 
the indirect effects that may follow (expressed in the form of causal laws), the 
completion of roughly speaking is the original theory T"- amended of logi- 
cal axioms stating the persistence of all non-affected (directly nor indirectly) 
literals. (Note that such a notion of completion is close to the underlying se- 
mantics of the dependence relation used throughout the present paper, which 
essentially amounts to the explanation closure assumption |I3].) 

Their executability problem is to check whether action a is executable 
in all possible initial states (Zhang et al.'s safety property). This amounts 
to testing whether every possible state w has a successor w' reachable by a 
such that w and w' both satisfy the completion of T"^. For instance, still 
considering the lamp scenario, the representation of the action theory for 
toggle is: 



q-toggle 



toggle ™ 
on ^ Off, 

rr toggle 

Off — > on, 



off — ^ -^on, 
on — > -^off 

where the first two formulas are conditional effect laws for toggle, and the 
latter two causal laws in McCain and Turner's sense. We will not dive in the 
technical details, and just note that the executability check will return "no" 
for this example as toggle cannot be executed in a state satisfying on A off. 

In the mentioned work, the authors are more concerned with the complex- 
ity analysis of the problem of doing such a consistency test and no algorithm 
for performing it is given, however. In spite of the fact their motivation is the 
same as ours, again what is presented is a kind of "yes-no tool" which can 
help in doing a metatheoretical analysis of a given action theory, and many 
of the comments concerning Zhang et al.^s approach could be repeated here. 
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Another criticism that could be made about both these approaches con- 
cerns the assumption of full executability they rely on. We find it too 
strong to require all actions to be always executable, and to reject as bad 
an action theory admitting situations where some action cannot be exe- 
cuted at all. As an example, consider the very simple action theory given 
by 1S5 = iS]^, £^5 = {[tease]walking} , = and X5 = X^, and consider 
^= {{tease, walking)}. Observe that, with our approach, it suffices to derive 
the implicit inexecutability law -> alive [tease\-L, change X, and the system 
will properly run in situations where -> alive is the case. 

On the other hand, if we consider the equivalent representation of such 
an action theory in the approach of Lang et ai, after computing the com- 
pletion of T^^"'^^^ if we test its executability, we will get the answer "no" , the 
reason being that tease is not executable in the possible state where ^alive 
holds. Such an answer is correct, but note that with only this as guideline 
we have no idea about where a possible modification in the action theory 
should be carried on in order to achieve full executability for tease. The 
same observation holds for Zhang et a/.'s proposal. 

Just to see how things can be even worse, consider the action theory 
{S^,£^,X^,T^), with = S^, = = {alive {tease)T} and 

X5 = {-lalive —>■ [tease]!.}, with the same obtained by the correc- 
tion of {S^,£^, X^,Ir} above with the algorithms we propose. Observe that 
{S^,S^, X^,I^) satisfies all our postulates. It is not hard to see, however, 
that the representation of such an action theory in the above frameworks, 
when checked by their respective consistency tests, is still considered to have 
a problem. 

This problem arises because Lang et a/.'s proposal do not allow for exe- 
cutability laws, thus one cannot make the distinction between X = { (tease) T}, 
X = {alive {tease)T} and A" = 0. By their turn, Zhang et a/.'s allows for 
specifying executabilities, but their consistency definitions do not distinguish 

the cases alive {tease)T and {tease)T. 

A concept similar to that of implicit static laws was firstly addressed, as 
far as we are concerned, in the realm of regulation consistency with deontic 
logic j3] . Indeed, the notions of regulation consistency given in the mentioned 
work and that of modularity presented in [20] and refined here can be proved 
to be equivalent. The main difference between the mentioned work and the 
approach in [201 relies on the fact that in jS] some syntactical restrictions on 
the formulas have to be made in order to make the algorithm to work. 

Lifschitz and Ren jSU] propose an action description language derived 
from C+ PHI in which domain descriptions can also be decomposed in mod- 
ules. Contrarily to our setting, in theirs a module is not a set of formulas 
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for given action a, but rather a description of a subsystem of the theory, 
i.e., each module describes a set of interrelated fluents and actions. As an 
example, a module describing Lin's suitcase jHl] should contain all causal 
laws in the sense of C+ that are relevant to the scenario. Actions or fluents 
having nothing to do, neither directly nor indirectly, with the suitcase should 
be described in different modules. This feature makes such a decomposition 
somewhat domain-dependent, while here we have proposed a type-oriented 
modularization of the formulas, which does not depend on the domain. 

In the referred work, modules can be defined in order to specialize other 
modules. This is done by making the new module to inherit and then special- 
ize other modules' components. This is an important feature when elabora- 
tions are involved. In the suitcase example, adding a new action relevant to 
the suitcase description can be achieved by defining a new module inheriting 
all properties of the old one and containing the causal laws needed for the 
new action. Such ideas are interesting from the standpoint of software and 
knowledge engineer: reusability is an intrinsic property of the framework, 
and easy scalability promotes elaboration tolerance. 

Consistency of a given theory and how to prevent conflicts between mod- 
ules (independent or inherited) however is not addressed. 

In this work we have illustrated by some examples what we can do in 
order to make a theory intuitive. This involves theory modification. Action 
theory change has been addressed in the recent literature on revision and 
update [2H1 1211 IH|- In [H] we have investigated this issue and shown the 
importance that modularity has in such a task. 

10 Conclusion 

Our contribution is twofold: general, as we presented postulates that ap- 
ply to all reasoning about actions formalisms; and specific, as we proposed 
algorithms for a dependence-based solution to the frame problem. 

We have defined here the concept of modularity of an action theory and 
pointed out some of the problems that arise if it is not satisfied. In particular 
we have argued that the non-dynamic part of action theories could influence 
but should not be influenced by the dynamic one.^^ 

We have put forward some postulates, and in particular tried to demon- 
strate that when there are implicit static and inexecutability laws then one 

-'^-'^It might be objected that it is only by doing experiments that one learns the static 
laws that govern the universe. But note that this involves learning, whereas here - as 
always done in the reasoning about actions field - the static laws are known once forever, 
and do not evolve. 



35 



has slipped up in designing the action theory in question. As shown, a possi- 
ble solution comes into its own with Algorithms 14.11 and 15.11 which can give 
us some guidelines in correcting an action theory if needed. By means of 
examples we have seen that there are several alternatives of correction, and 
choosing the right module to be modified as well as providing the intuitive 
information that must be supplied is up to the knowledge engineer. 

Given the difficulty of exhaustively enumerating all the preconditions un- 
der which a given action is executable (and also those under which such an 
action cannot be executed), it is reasonable to expect that there is always 
going to be some executability precondition ipi and some inexecutability pre- 
condition that together lead to a contradiction, forcing, thus, an implicit 
static law -i{(piA(p2)- This is the reason we propose to state some information 
about both executabilities and inexecutabilities, and then run the algorithms 
in order to improve the description. 

It could be argued that unintuitive consequences in action theories are 
mainly due to badly written axioms and not to the lack of modularity. True 
enough, but what we have presented here is the case that making a domain 
description modular gives us a tool to detect at least some of such problems 
and correct it. (But note that we do not claim to correct badly written 
axioms automatically and once for all.) Besides this, having separate entities 
in the ontology and controlling their interaction help us to localize where the 
problems are, which can be crucial for real world applications. 

In this work we used a version of PDL, but our notions and results can 
be applied to other frameworks as well. It is worth noting however that for 
first-order based frameworks the consistency checks of Algorithms 14. Il and l5. II 
are undecidable. We can get rid of this by assuming that {S ,£ , X ,2) is finite 
and there is no function symbol in the language. In this way, the result of 
NewCons is finite and the algorithm terminates. 

The present paper is also a step toward a solution to the problem of 
indirect dependences: indeed, if the indirect dependence shoots -^walking is 
not in then after running Algor it hm 15 . 1 1 we get an indirect inexecutability 
{loaded A walking) — > [shoot]±, i.e., shoot cemiaot he executed if loadedAwalking 
holds. Such an unintuitive inexecutability is not in T and thus indicates the 
missing indirect dependence. 

The general case is nevertheless more complex, and it seems that such 
indirect dependences cannot be computed automatically in the case of inde- 
terminate effects (cf. the example in j3]). We are currently investigating this 
issue. 

A different viewpoint of the work we presented here can be found in ^H] , 
where modularity of action theories is assessed from a software engineering 
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perspective. A modularity-based approach for narrative reasoning about 
actions is given in |23j . 

Our postulates do not take into account causality statements linking 
propositions such as those defined in |SI1 Elj- This could be a topic for 
further investigation. 
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An action theory {S ,£"', with satisfies Postulate PS if and only if 



We recall that |= is logical consequence in Classical Propositional Logic, 
and PI (A) is the set of prime implicates of the set A of classical formulas. 

Before giving the proof of the theorem, we recall some properties of prime 
implicates [S21 ES] and the function NewCons ^Tj. Let ip G S^ml, A C ^m[, 
and X be a clause. Then 



1. ^ ^ /\PI{ip) [Sni Corollary 3.2]. 

2. PI{A) U NewConsAi'-p) = PI{A A v?) (from the definition of NewCons 



3. \=AA(p^AA NewCons Ai^) (from □ and E)) 

4. If PI{f) 1= X) then there exists x' ^ PHf) such that x' \= X [33 
Proposition 3.4]. 

Let -^C 2tct X £it, (p ^ {a)T e X", C = U I", and C» C C. We 



ers. 



A Proof of Theorem 14.3 








define: 
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Lemma A.l SU{ip(^a}U{l\^ ^i^^^^^^i^ ^Ij} \=-L if and only if SUNewConss{ipc'')^ 

Proof: Consequence of Property El ■ 

Lemma A. 2 If 5 U NewConssiipc'^) U {/\^ ^;^_[^]^;^, -^Ij} \= ±, then 3% e 
A^eu^Cons^l^AcO such that 5 U {x} U {A|=^^/^.^[a]^i, ^^i) H^- 

Proof: Consequence of Properties d 121 and 0] ■ 

Lemma A. 3 If SLi{(p, (p^'a}l^{/\i^ ^i.^i^^^i. ^Ij} ^-L and S Li New Cons s{ip^'a)l^ 
{A\= -^ij->[a]^ij H -L) then 3x € NewConss{ip^a) such that S U {x} U 

Proof: By Lemma fA.2l and Classical Logic. ■ 

Lemma A. 4 If SLi{(p, (p(,'a}Li{/\, ^^.^ui.,, -i/j} ^J- andSLiNewConss{ip(,'a)Li 
{A\= -,/^[a]-./ H -L) then 3% e NewConssi^Pca) such that both 5 U 

{yp, U { ./,^[a]./, and 5 U {x} U { h^- 



Proof: Trivially, by Lemma [A .31 



Lemma A. 5 If x ^ NewConss{;ipca)i?>svich.t\iat SU{ip,ip^a}^{/\\^ ^ 
± and 5 U {x} U { A^ h^, then 5 U {<^, J U {A ^.^7-4} 

and5U{x}U{A/.ex -4} h^- 

Proof: Let X G A^'ewCons^ be such that 5U{v9, V9^-„}U{A|= "i^j} ^ 

L and 5 U {x} U {A^.i^^[,]./^ h^- 
If X = -L, the result is trivial. 

Let atm{ip) denote the set of atoms occurring in a classical formula ^p. 

• If atm{x) 't- atm{/\^ _,;_^.^[^]_,;^ then the premise is false (and the 
lemma trivially holds). 

• If atm{x) = atm{/\, ^^.^r , -i/^), the lemma holds. 
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• Let atm{x) C aim(A^^i,^[a]^z, ^^i)- From5U{(^, v?c4U{A^^z^.^[a]^z,. ^^i) 
± it follows 5U{(/.,(/.c4U{ A .,.x -4} From 5U{x}U{A^ 
± and because 5 U {At ^r^fd-./ -L? it follows 5 U {x} U 



Lemma A. 6 If x ^ NewConssi^Pca) is such that 5U{(y9, (y9^-„}U{/\ /-g^^ -i/,;} ^ 
± and 5 U {x} U {Ai,ex -4} h^, then S U U {A'.ex -4} and 

Proof: From S U U {/\ i^ex ~^k} ^-L we conclude 5 U {/\ ,^6^ -i/j} ^ 

±. From this and the hypothesis S U {x} U {A'iSx ~^k} |= -L, it follows 

U {A'iex ~^h} \= ^X- If 5 1= -ix, then S^ifj^a |= ~iX; aiid because x ^ 

NewConss{ip^'a), we have x H ~'X) a contradiction. Hence 5 U {x} ^ -L- 
Suppose now that there is at least one literal / G x such that -il does not ap- 
pear in A'iSx ~'k- Then, the propositional valuation in which Xi*-true satisfies 

S U {x} U f\ i^ex ~^k, and then S, {x}, A hex ~'4 -L- Hence there cannot be 

such a literal, and then V/j G x? ^^7^ 4- ■ 

Proof of Theorem 14.31 

(^): Suppose Simp* 7^ 0- Then at the first step of the algorithm there has 
been some {a)T G and some C"- C C"" such that S , £"•, X"-,!"' 

-i((y9 A ip(^a) and iS ^ -^{ip A v^c")- Hence (5, i^", A"**, X") with does not 
satisfy Postulate PS. 

(<^=): Suppose that Simp* = 0- Therefore for all ip' {a)T E X°- and for all 
subsets C C, we have that 



Vx G NewConssiipca) if 5 U {v?', v^ca, -ix} ^-L, then 34 G x, 4 (1) 

From (P), the contraposition of Lemmas IA.6MX73j and Lemma \A.1\ it 
follows that for all (a)T G A"^ and C'^ C C'', 



if 5 U {if', ifica} U { /\ then 5 U {^^4 U { /\ ^1^} ^_ 

(2) 
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Now, suppose S ^ ip foT some propositional (p. We will build a model 
^ such that ^ is a -^-model for {S,S'^,X°-,I"-) that does not satisfy (p. 
Let W be the set of all propositional valuations satisfying S that falsify 
ip. As S ^ (f, S U {^f} is satisfiable, hence W must be nonempty. We 
define the binary relation Ra on W such that wRaw' if and only if for every 
ip — *• [alip e such that |= ip: 



• 1= , -1 L for all such that a -/^ L and 1= -i . 

Taking the obvious definition of V we obtain a model ^ = {W, R, V). We 
have that ^ is a -^-model, by the definition of Ra, and S AS" AX"' Al", 
because: 

• \^ S: by definition of W; 

• 1='^ C*: for every world w and every ip — >■ [a]-?/; G C"", if <y9, then, by 
the definition of Ra, 4' for tf' G such that wRaw'; 

• \^ let £°-{w) = {ip ^ [a\il) G E"- :|=^ v'}, and indepa{w) = {-i/ : 

a 7^ / and -i/}. Then, for every world w and every ip' (a)T G 

A"", if 1=^ ip' Aip£a(^^)Aindepa{w), then from Q, ip£'^{w) /\i'>^dep a{w) ^ ±. 

As is maximal, there exists at least one w' such that ipe'^iw) A 
indepa{w). As i?^ is maximal by definition, we have wRaw'. 

and the definition of Ra, there exists at least one w' such that wRaw'. 



Clearly ^ V^, by the definition of W. Hence S ,8°', ^ if. Therefore 

{S, 8\ X\ Z°-) and ^ violate Postulate PS. ^ ■ 

B Proof of Theorem 15.2 

// l\S ,E°',X"', X"") with ^ satisfies Postulate PS, then it satisfies Postulate PI 
if and only ifXf^p = 0. 

Let -^C 2tct X £it and ip ^ («)T G X"-. For every S'' C we define: 



w 
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Moreover, we define 

Lemma B.l If (5,^^ A'", J") satisfies Postulate PS, then S ,8", X",!^ 
V9 [a]± implies S,8°',X"' |^ ^ [a]±. 

Proof: Straightforward as a special case of Theorem 18 .21 ■ 

Lemma B.2 If for each we have S U {^^a} ^ -L implies S U {ip^a} ^ -L, 
then S.E",!" 1=,^^^ ^ [a]± implies S ,1" 1=,^^^ ^ [a]±. 

Proof: If S ^X°- ^^^^ — > [a]-L, then there exists a PDL-model ^ = 
( VK, i?, V) such that 5 A X'^, and there is a possible world w G 1^ such 
that 1= if) and 1= (a)T. 

(We are going to construct a counter-model for 5, £"■,1°- f> —>■ [o]-L-) 
Let = [a^ip e ■.\=^ (f}. Then = /\Wi ■ ^Pi 

[a]tjji G £"'{w)} is such that \^ 'Ps'-iw)- As 5 A v5£-a(^) is thus satisfiable, 
S A 'ip£'^{w), with Tpeaf^^^ = /\{ipi : — » [a]^/'j G £"'{w)}, must be satisfiable, 
too (by hypothesis, because £°'{w) C £''). Hence, there exists a propositional 
valuation val such that val{S A = 1. 

Consider, thus, v such that v ^ W, and extend F such that V{v) = val. 
Let ^' = {W,R', V) be such that W = WU {v}, RlJ^w) = {v} for all u 
such that \^ if and R'a_{u) = otherwise, and V = VU {{v, V{v))}. 

Then: 

• 1=^ 5 because |=^ 5 and val{S) = 1. 

• \^ 2"' because \^ [f^l-L, by definition of R'aiv), and \^ I"' because 
^ (y9 for all (y9 ^ [a]± G X*^, as ^ (otherwise, as X°-, we would 
not have \^ (o)T). 

• 1^ £"• because [ol-L, and 1=^ by construction of R'(w) = 
{v} and 1= V^'-Cti))- 

• ^ 09 A (a)T. 

w 

Hence is still a model of 5, X" and Of course, is a counter- 
model for ip [o]-L- ■ 
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Lemma B.3 Let J^" = {^l ^ [a]^l : a-/^ I}. Then if 5, £^X^ Jf^^, J^'^ ^rdl 
cp ^ [a]±, then J«, J^^ hpoL ^ ^ [«]^- 

Proof: If S ,8°',X°-,X1^p V^pdv. ^ ~^ i'A^i ^^en there exists a PDL-model 
^ {W,R,V) such that |^ 5 A A J'^ A X^^^, and there is a possible 

world w E l^such that \^ u) and 1=^ (o)T. 

We are going to construct a counter-model for 5, £^",X'*,X,^p, JF'' |=p|^|^ 
<^ ^ [a]±. Let = (1^, I/) be such that W = W, and Rl^iw') = for 
every w' ^ w, and V — V. 

Of course, is still a model of <S, 5", T'* and Xj^^. 

For every C the case where V£a/\~'X, with x £ NewConssii^^a)-, 

a ^i,V^i e X, is impossible, because |=^ '^tmp hence we would have 

Ra{w) — 0, contradicting the hypothesis that \^ («)T. 
Thus, we have to consider only the following cases: 

• if \^ k, for every k such that k, then is also a model of J-'"', and 
then we have a counter-model for S,S°',X'',X^j^p,J^°' ^ — > [fl]-L- 

• if \^ V'fa A/\ -i^j, where li and there is no clause x £ NewConss (V'f a) 

such that 4 G X; foi' some C then of course ip^a A /\ -i4 is sat- 
isfiablc, i.e., there is a valuation where -^^a A holds. Let ?;aZ£a be 
such a valuation. 

Consider, thus, v such that v ^ W, and extend V' such that V(f ) = 
valg'a. Now let = {W, R", V") be such that 1^' = 1^ U {v}, and 
r{{w) = valg,, and T = 1^ U {(v, 

Again, it can easily be checked that is a model of 5, X"' 
and Xfmp. Moreover, it is a model of J^", and hence a model for 
5,£:«,X«,X«„^,^«and(^A(a)T. 



Lemma B.4 If 5,£:«,X« V ^ then Sa^^Lp Hdl ^ ^ [«]^- 
Proof: Let 

The following steps establish the result. 
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1. S,£"',T"- 1^ — > [a]±, by hypothesis 

2. S ,S'',X"',I^^p ip ^ [^]-L, fromlU and monotonicity 

3. S hpDL A^" ^ (A^"^ A A^''"). by definition of 8"+ and S"' , and 
PDL 

4. 5,^^^+ U E^-.I^X^^^ h^^^ [«]^' fromH andEl 

5. £°-^ C J^p, as if ^p^a [«]'?/'£:"a ^ f^"", then 5 |= ip^^ -L, and then 
± G NewConss{ip£a), from which it follows that (v?£;~a A T) — [a]± G 
Xf„p, and then ^ G Jf„p 

6. J", Jf„p |=L, ^ ^ N^, fromH andEl 

7. S,S°''^,I"',I^jj^p,J-'°' |=pp|_ v9 [fl]-L, fromini and definition of where 
J^" = {^l^ [a]^l: a 7^ /}. 

8. S^S^+.X^.Ttrap hpDL <^ ^ [«]^' fromEl and LemmaEl 

9. S,2°',2^^p H>DL ^ ~^ VA^i fromlHl and Lemma IB. 21 whose hypothesis 
is satisfied by the definition of 

■ 

Proof of Theorem EH 

{=^\- Straightforward, as every time S ^E"" ^X"- ^X"' |=^ (yj [f*]-L, we have 
S ,X°- |=pj^|^ ip — * [a]-L, and then X^^^ never changes. 

(<^=): We are going to show that if S, S", X"-,!" ip ^ [a]± and 1°^^ = 0, 
then S,I-^p^^ if ^[a]±. 

1. S,£'',X'',I'' h^^-^ [a]±, by hypothesis 

2. S, £"',!"• 1=^ — > [a]±, fromHJ and Lemma IB. II 

3. 5, J"", Jj^p H>DL ^ ~^ t^]-'-' fro'^El and Lemma lR4l 

4. 5,T" 1= (p [a]±, fromEl and hypothesis Xf = 0. 



